1. Field of the Invention
The present invention relates to an apparatus, system and method for detecting malicious code, and more particularly, to a system and method for extracting information on threads of processes running on a computer system, determining whether the threads have been generated by malicious code, and analyzing a malicious code behavior in a virtual environment to detect malicious code inserted into a normal process in disguise.
2. Discussion of Related Art
As Internet services have diversified lately, use of the Internet is increasing. Thus, malicious code, such as computer viruses and Internet worms, is widespread over the Internet and causes extensive damage to Internet users. In particular, damage is continuously caused by malicious code, such as a hot that resulted in “77 chaos” in 2009. Such malicious code performs a malicious behavior on a user's personal computer (PC) under a command and control (C&C) by inserting a thread into a normal process to serve as a server. To hide its own presence, such malicious code disguises itself as a normal process by dynamic link library (DLL) injection or code injection.
A conventional malicious code detection method generates a signature using a binary hash value or a continuous byte sequence in a specific area of code and compare it with those registered in a malicious code binary pattern database to determine whether or not it is malicious. If it is malicious, it is forcibly terminated and deleted. According to the conventional method depending on binary pattern comparison, previously-known malicious code is very likely to be detected. However, it is impossible to detect unknown malicious code.
Also, hooking of a specific application programming interface (API) or hooking on a kernel layer can be used to detect malicious code. However, in the former scheme, only the specific API is hooked so that a user must monitor a code behavior and determine whether or not it is malicious. In the latter scheme, system malfunction may result in a critical failure.